CAPTCHA , Anti-Captcha
CAPTCHA?
A CAPTCHA or Captcha (pronounced /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires that the user type letters or digits from a distorted image that appears on the screen.
Applications of CAPTCHAs
CAPTCHAs have several applications for practical security, including (but not limited to):
- Preventing Comment Spam in Blogs.
- Protecting Website Registration.
- Online Polls.
- Preventing Dictionary Attacks.
- Search Engine Bots.
- Worms and Spam.
The general purpose of Captcha’s are to prevent the automation of form submission. For example, to protect a guestbook from filling up with spam-entries or to prevent hundreds of bogus users registering to a forum.
The ANIT-CAPTCHA Challange
Until recently, image-based Captcha’s have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, Captcha’s too have to continuously increase in complexity.
Ironically, it’s come to the point that computers are better at deciphering Captcha’s than humans are, simply because computers have infinite patience.
To illustrate: evildoers trying to beat your Captcha are probably satisfied with a success ratio of 1/100 – because in just a few hours of repetition this can add up to hundreds of successful passes. A typical human user on the other hand probably throws in the towel after three consecutive failed attempts – at which point they’ll most likely leave your website altogether.
Who can blame them? The average user doesn’t understand why they should enter a random string of letters in the first place. It’s not their problem and they do not care what it is for. For them it’s some sort of annoying puzzle that stands in the way of doing what they want to do. Not being able to pass it, makes them feel inadequate and frustrated.
So to avoid repelling your visitors from your website, the new technique “Anti-Captcha” has rised.
The basic idea behind it is simple-“Create a captcha solution which does not require any end-user interaction”
How it works
Basically it is a manipulation of obfuscated javascript together with checksum validation of session. Ihe process includes-
- Generation a random token
- Store a checksum of this token in session
- Generate some obfuscated javascript code which (when interpreted) adds a hidden input-field to every form element on the webpage using the token as a value
- Verify the submitted checksum and the checksum stored in session.
As a bonus, this technique should also provide adequate protection against XSRF.
Requirements
The technique involves javascript and hence requires javascript enabled on the browser to successfully implement the anti-captcha technique. But the user does need to have javascript enabled for form submission to succeed.
Caveats
Obviously this technique isn’t perfect, at some point bots might gain the ability to interpret javascript or simply read-out the obfuscated code instead. At that time a different approach, with a similar concept, would be needed.
It should also be possible to fool the Anti-Captcha with the use of “automated mouse-clicking software”. However this should be very hard to combine with botnets – thus making additional security layers (for example: maximizing form-submission on a per-ip basis) more feasible.
Another major drawback is the need for javascript to allow form-submissions, which is something you should ponder over yourself. Personally I feel it outweighs the disadvantages image-based Captcha’s bring in, but this probably depends on the project at hand.
